Ledger Bounty Program

Get rewards for finding bugs

Ledger believes in better security through openness.

We follow Kerchoff’s principle, which says that the best security systems (such as private key cryptography) are so good that you can tell people exactly how they work, and it wouldn’t compromise them in any way.

Some parts of our code cannot be published – but that’s not because our security relies on keeping it private. Many of the companies we work with – quite fairly – have certain legal and contractual requirements that prevent us from sharing their intellectual property.

In general, discussing our technology publicly allows people to suggest improvements, making it even better.

We welcome and value reports of technical vulnerabilities that could substantially affect the confidentiality or integrity of user data on Ledger devices.

If you believe that you have discovered such a vulnerability, the Ledger Security Team will work with you to investigate and resolve the issue promptly.

Good faith external contributions that uncover previously unidentified vulnerabilities will be rewarded.

In a nutshell:

External security researchers are expected to:

  • Respect and operate within the disclosure guidelines and rules set out by the Ledger Security Team.
  • Accept that submissions outside of the eligibility scope may not be investigated.
  • Respect data protection principles and users’ privacy. Make a good faith effort not to access or destroy another user’s data.
  • Be patient. Make a good faith effort to clarify issues and support the Ledger Security team’s, efforts upon request.
  • Do no harm: report found vulnerabilities promptly. Never willfully exploit them without permission.

Ledger Security Team is expected to:

  • Prioritize security. Make a good faith effort to resolve reported security issues in a prompt and transparent manner.
  • Reward relevant and good faith research.
  • Give bounty recipients public recognition for their contributions when mutually agreed.
  • Do no harm: Not take unreasonable punitive actions against researchers, like making legal threats or referring matters to law enforcement.

Responsible Disclosure Policy

At Ledger, we believe that Coordinated Vulnerability Disclosure is the right approach to better protect users. When submitting a vulnerability report, you enter a form of cooperation in which you allow Ledger the opportunity to diagnose and remedy the vulnerability before disclosing its details to third parties and/or the general public.

In return, Ledger commits that security researchers reporting bugs will be protected from legal liability, so long as they follow responsible disclosure guidelines and principles.

In identifying potential vulnerabilities, we ask that all security researchers stick to the following principles:

  • Do not engage in testing that:
    • degrades Ledger’s information systems and products.
    • results in you, or any third party, accessing, storing, sharing or destroying Ledger or user data
    • may impact Ledger users, such as denial of service, social engineering or spam.
  • Do not try to attack our infrastructure. The Bounty Program is about improving security for Ledger users, not deliberately trying to put the community at risk.

Eligibility

Various kinds of security related bugs are eligible for our bounty program. Generally, any information which significantly helps us to improve the security of our products will be eligible for a reward. Bugs concerning User Experience may be rewarded, if they are security related.

While non-exhaustive, research on the following security issues is most likely eligible for a reward:

  • Apps loaded on a Ledger devices that  break isolation. i.e. (unsigned) apps that enable reading of the memory space of other apps or kernel.
  • Breaking the confidentiality assumption on Ledger’s device (i.e. access to critical information such as the seed or private keys)
  • PIN bypass
  • Remote code execution
  • Fooling the user into confirming actions without button presses
  • Fooling the user by modifying the screens (address displayed, running unsigned apps/OS without warning)

Some less critical bugs may also be rewarded such as (remotely) crashing the device, unexpected seed erase and anything that denies access to Ledger services.

Web vulnerabilities, unless substantially affecting user data and business operations are not eligible.

The following types of problems are not included in the Bounty Program

  • Bugs that are not responsively reported and investigated. It is important that security researchers work with our internal teams, in good faith.
  • Denial of service attacks on the Ledger website
  • Denial of service attack on our nodes or any part of our infrastructure
  • Bugs in our desktop app, unless they can lead to attacks on Ledger devices

Submission process

Submission reports should include a detailed description of your discovery with clear, concise steps allowing us to reproduce the issue, or a working proof-of-concept.

Low quality reports, such as those that include inadequate information to investigate, may incur significant delays in the disclosure process, which is in nobody’s interest. Please only submit one report per issue.

All communications between you and Ledger should go through [email protected]. Please make sure to request a GPG key before you submit any vulnerability information and any other sensitive data.

Do not use personal emails, social media accounts, or other private connections to contact a member of the Ledger Security Team regarding vulnerabilities or any issue related to the Bounty program, unless you have been instructed to do so by Ledger.

The Ledger Security Team will be in touch, usually within 24 hours.

When submitting a vulnerability report you agree that you may not publicly disclose your findings or the contents of your submission to any third parties in any way without Ledger’s prior written approval.

Remediation & Disclosure

After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it. You may receive updates with significant events such as the validation of the vulnerability, requests for additional information or your qualification for a reward.

Bug reporters allow Ledger the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public.

Once the security issue is fixed or mitigated, the Ledger Security Team will contact you. Prior to any public announcement of a vulnerability, and to the extent permitted by the law, we will share the draft description of the vulnerability with you. In case of disagreement, we would explore mediation mechanisms.

Reward

You may be eligible to receive a reward if: (i) you are the first person to submit a given vulnerability; (ii) that vulnerability is determined to be a valid security issue by the Ledger Security Team; and (iii) you have complied with the Ledger Bounty program policy and guidelines.

The decision to grant a reward for the discovery of a valid security issue is at Ledger’s sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your Submission report, ease of exploit and overall risk for Ledger’s users and brand.

Bounties will be paid directly to the researcher using Bitcoin.

You will be responsible for any tax implications related to bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.

To be eligible for a reward, you must not:

  • Be a resident of, or make your vulnerability submission from, a country against which France has issued export sanctions or other trade restrictions;
  • Be in violation of any national, state, or local law or regulation;
  • Be employed by Ledger or its subsidiaries or affiliates;
  • Be an immediate family member of a person employed by Ledger or its subsidiaries or affiliates;
  • Be less than 18 years of age. If you are under 18 years old, or considered a minor in your place of residence, you must get your parents’ or legal guardian’s permission prior to participating in the program.

Wall of Fame

In mutual consultation, we can, if you desire, display a researcher’s name or its pseudonym as the discoverer of the reported vulnerability on our website’s « Wall of Fame ».

Ledger reserves the right to remove contribution information of any person that at any time does not comply with the Ledger Bounty program policy and guidelines.

LEDGER’S BOUNTY PROGRAM WALL OF FAME

  • Timothée Isnard
  • Saleem Rashid
  • Sergei Volokitin

This an experimental and discretionary rewards program. We may modify the terms of this program or terminate this program at any time without notice.